[Python-ideas] Adding a safe alternative to pickle in the standard library
Antoine Pitrou
solipsis at pitrou.net
Thu Feb 21 18:24:52 CET 2013
Le Thu, 21 Feb 2013 17:22:47 +0000,
Mark Hackett <mark.hackett at metoffice.gov.uk> a
écrit :
> On Thursday 21 Feb 2013, Devin Jeanpierre wrote:
> > On Thu, Feb 21, 2013 at 10:50 AM, Dustin J. Mitchell
> > <dustin at v.igoro.us>
> wrote:
> > > When you put something in the stdlib and call it "safe", even with
> > > caveats, people will make even more brazen mistakes than with a
> > > documented-unsafe tool like pickle.
> >
> > Then how do we improve on the status quo? The best situation can't
> > possibly be one in which the standard serialization tool allows for
> > code injection exploits out of the box, by default, and where there
> > is no reasonable alternative in the stdlib without such problems.
>
> By writing your application for its needs, not the needs of 10000
> programs yet to be written and making the wrong assumption and
> putting it in a stdlib.
>
> If every problem could be solved with a stdlib call, there'd only
> have to be one programmer in the world...
You're forgetting the millions of stdlib programmers :-)
Regards
Antoine.
More information about the Python-ideas
mailing list